SQL Server 加密层级
---------------------------------------------------------------------------------------------------------------------------------------------------------
第一层:
服务主密钥、它在有需要的时候自动生成、比如说要加密数据库主密钥的时候。而且不可以手工create。
然、
我们还是可以对其进行备份与还原的。
backup service master key to file = ‘E:\server_master_key.bak‘
encryption by password = ‘123456‘; -- 没有with
go
-------------------------
restore service master key from file = ‘E:\server_master_key.bak‘
decryption by password = ‘123456‘; -- 没有with
go
第二层:
数据库主密钥、它要我们手工的create 、它用来加密 证书,对称密钥,非对称密钥。
create master key encryption by password = ‘123456‘;
go
-----------------------------
如前面所说的、数据库主密钥是通过服务主密钥加密的! 那为什么在create master key 中还要有
ecryption by password 这一项呢!这是因为SQL Server 提供两种访问方式
1、自动型,简单的说就是SQL server 知道你要用了会去自动打开 master key,然而它也有不好的
的地方就是它要与权限关联。就是说如果你的账号没有适当的权限就打不开。
2、手动型,就是说你要手动的打开与关闭。
--------------------------------------
A、去除service master key 加密
alter master key drop encryption by service master key;
go; -- 没有with
---------------------------------------
B、增加 service master key 加密
open master key decryption by password = ‘1234567‘
alter master key add encryption by service master key;
close master key; -- 没有with
go
------------------------------
然、数据库主密钥也支持备份与还原
backup master key to file = ‘E:\master_key.bak‘
encryption by password = ‘123456‘; -- 没有with
go
---------------------------
restore master key from file = ‘E:\master_key.bak‘
decryption by password = ‘123456‘
encryption by password = ‘1234567‘ -- 没有with 但是一定要加encryption by password 这一项才可以正确的运行。
go
---------------------------
-----------总结:service master key 与 master key 的操作都不带with-----------------
第二层:
非对称加密部分、它用来加密数据。
创建:
create asymmetric key asy_key_test
with
algorithm = rsa_512
encryption by password = ‘123456‘;
go
删除:
drop asymmetric key asy_key_test;
go
加密:
insert into T(X,Y) values(1,ENCRYPTBYASYMKEY(ASYMKEY_ID(‘asy_key_test‘),‘this is the clear text‘));
go
解密:
select X,cast(
DECRYPTBYASYMKEY(ASYMKEY_ID(‘asy_key_test‘),Y,N‘abcdef‘) as varchar)
from T;
go
对于非对称的密钥、加密是用公钥完成的,解密是用私钥。
也就是说如果我们把密钥的私钥部分修改,解密时会出错
alter asymmetric key asy_key_test
with
private key(encryption by password = ‘abcdef‘,decryption by password = ‘123456‘);
go -- 小心with 后面是小括号!
-------------------------------------------------------------------------------------------------------------------
对称加密部分、
创建:
create symmetric key sym_key_test
with
algorithm = TRIPLE_DES
encryption by password = ‘123456‘;
-- encryption by asymmetric key asy_key_name;也是可以用
go
删除:
drop symmetric key sym_key_test;
使用:
open symmetric key sym_key_test decryption by password = ‘123456‘
insert into T3(X,Y) values(1,ENCRYPTBYKEY(KEY_GUID(‘sym_key_test‘),‘this is the text!‘));
select cast(DECRYPTBYKEY(Y) as varchar)from T3;
close symmetric key sym_key_test;
go
--------------- 加密时还是要有key_guid 的,解密时就不用这么多了--------------------------------------
证书部分:
证书有自己的公钥与私钥,还有过期时间,支持备份还还原就是说证书的可移植性强。
创建:
create certificate ctf_test
encryption by password = ‘123456‘
with
subject = ‘证书名:ctf_test‘,
start_date = ‘2014-10-16‘,
expiry_date = ‘2015-10-16‘
go
备份:
backup certificate ctf_test
to file = ‘E:\ctf_public.bak‘
with private key(file= ‘E:\ctf_private.bak‘,decryption by password= ‘123456‘,encryption by password= ‘123456‘);
go
还原:
create certificate ctf_test
from file = ‘E:\ctf_public.bak‘
with private key(file= ‘E:\ctf_private.bak‘,decryption by password= ‘123456‘,encryption by password= ‘123456‘);
go
管理证书的私钥:
删除、
alter certificate ctf_test
remove private key;
增加、
alter certificate ctf_test
with private key
(file= ‘E:\ctf_private.bak‘,decryption by password= ‘123456‘,encryption by password= ‘123456‘);
go
使用、
create table T4(X int ,Y varbinary(max));
go
加密:
insert into T4(X,Y) values(1,ENCRYPTBYCERT(CERT_ID(‘ctf_test‘),‘this is the text‘));
go
解密:
select * ,cast(DECRYPTBYCERT(CERT_ID(‘ctf_test‘),Y,N‘123456‘) as varchar) as [解密文本]
from T4;
go
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。
